Configuring Secure Domain Routers on the Cisco IOS XR Software

Secure domain routers (SDRs) are a
means of dividing a single physical system into multiple logically separated
routers. SDRs are isolated from each other in terms of their resources,
performance, and availability.

For complete descriptions of the SDR
commands listed in this module, see
Related Documents.
To locate documentation for other commands that might appear in the course of
performing a configuration task, search online in
Cisco IOS XR Commands Master List for the Cisco CRS
Router.

Prerequisites for Working with Secure Domain Routers

Initial Setup

The router must be running
the
Cisco IOS XR software,
including a designated shelf controller (DSC).

The root-system username
and password must be assigned as part of the initial configuration.

For more information on
booting a router and performing initial configuration, see
Cisco IOS XR Getting Started Guide for the Cisco CRS
Router.

Required Cards for Each SDR

Additional route processor (RP) pair, DRP or DRP pair must be installed in each line card (LC)
chassis to manage each SDR in the system.

For
additional information on DRPs, refer to
Cisco CRS-1 Carrier Routing System 16-Slot Line Card Chassis
System Description. For instructions on installing DRPs, see
Installing the Cisco CRS-1 Carrier Routing System 16-Slot Line
Card Chassis.

Task ID Requirements

You must be in a user group associated with a task group that
includes the proper task IDs. The command reference guides include the task IDs
required for each command. If you suspect user group assignment is preventing
you from using a command, contact your AAA administrator for assistance.

Software Version Requirements

Cisco IOS XR Software
Releases 2.0, 3.0, and 3.2 support only one owner SDR. Multiple (non-owner)
SDRs are not supported in these releases. The owner SDR cannot be added or
removed from the configuration.

What Is a Secure
Domain Router?

Cisco routers running
theCisco IOS XR software can be partitioned into multiple, and independent routers known as
secure domain
routers (SDRs). SDRs are a means of dividing a single physical system into
multiple logically separated routers. They perform routing functions similar to
a physical router, but they share resources with the rest of the system. For
example, the software, the configurations, the protocols, and the routing
tables, which are assigned, are unique to a particular SDR. Other functions,
such as chassis-control and switch fabric, are shared with the rest of the
system.

Owner SDR and Administration Configuration Mode

The
owner SDR is created at system startup and cannot be
removed. This owner SDR performs system-wide functions, including the creation
of additional
non-owner SDRs. You cannot create the owner SDR because it
always exists, nor can you completely remove the owner SDR because it is
necessary to manage the router. By default, all nodes in the system belong to
the owner SDR.

The owner SDR also provides access to the administration EXEC and
administration configuration modes. Only users with root-system privileges can
access the administration modes by logging in to the primary route processor
(RP) for the owner SDR (called the designated shelf controller, or DSC).

Administration modes are used for
the following purposes:

Create and remove additional
non-owner SDRs.

Assign nodes to the
non-owner SDRs.

View the configured SDRs in
the system.

View and manage system-wide
resources and logs.

Note

Administration modes cannot be used to configure the features
within a non-owner SDR, or view the router configuration for a non-owner SDR.
After the SDR is created, users must log into the non-owner SDR directly to
change the local configuration and manage the SDR.

Non-Owner SDRs

To create a new non-owner SDR, the root-system user enters
administration configuration mode, defines a new SDR name, and assigns a set of
cards to that SDR. Only a user with root-system privileges can access the
commands in administration configuration mode. Therefore, users without
root-system privileges cannot create SDRs or assign cards to the SDRs.

After a non-owner SDR is created, the users configured on the non-owner
SDR can log in and manage the router. The configuration for each non-owner SDR
is separate from the owner SDR and can be accessed only by logging in to the
non-owner SDR.

Note

For information regarding support for non-owner SDRs in
Cisco IOS XR software
releases before release 3.9.0, see
Related Topics.

SDR Access Privileges

Each SDR in a router has a separate AAA configuration that defines
usernames, passwords, and associated privileges.

Only users with root-system
privileges can access the administration EXEC and administration configuration
modes.

Users with root-lr privileges can access
only the non-owner SDR in which that username was created.

Users with other access
privileges can access features according to their assigned privileges for a
specific SDR.

For more information about AAA policies, see the
Configuring AAA Services on the Cisco IOS XR
Software
module of Cisco IOS XR System Security Configuration Guide for the
Cisco CRS Router.

Root-System
Users

Users with root-system
privileges have access to system-wide features and resources, including the ability to
create and remove secure domain routers. The root-system user is created
during the initial boot and configuration of the router.

Ability to log in to non-owner SDRs using admin plane
authentication. Admin plane authentication allows the root-system user to log
in to a non-owner SDR regardless of the configuration set by the root-lr user.

Ability to install and
activate software packages for
all SDRs or for a specific
SDR
.

Other SDR Users

Additional usernames and passwords can be created by the root-system or root-lr users to provide more restricted access to the configuration and management capabilities of the owner SDR or non-owner SDRs.

Designated Secure Domain
Router Shelf Controller (DSDRSC)

In
a router running
Cisco IOS XR software,
one RP is assigned the role of DSC.
The DSC provides system-wide administration and control capability, including
access to the administration EXEC and administration configuration modes. For
more information on DSCs, refer to
Cisco IOS XR Getting Started Guide for the Cisco CRS
Router.

In each SDR, similar administration
and control capabilities are provided by the designated secure domain router
system controller (DSDRSC). Each SDR must include a DSDRSC to operate, and you
must assign an RP or DRP to act as the DSDRSC.

DSCs and DSDRSCs

Designated Shelf Controller (DSC)

The
primary and standby DSC is always an
RP
pair. By default, the DSC is also the DSDRSC for the owner SDR. The owner
DSDRSCs cannot be removed from the SDR configuration, or assigned to a non-owner SDR.

For information on DSC assignment and initial router configuration,
refer to
Cisco IOS XR Getting Started Guide for the Cisco CRS
Router.

Using a DRP or DRP Pair as the DSDRSC

Cisco Systems recommends the use of DRPs as the
DSDRSC in non-owner SDRs. An SDR without an RP must designate a DRP or DRP as the potential DSDRSC.

To create a DRP DSDRSC in a non-owner SDR, you must configure a DRP or
DRP pair as the
primary node for that SDR. The following guidelines apply:

Although a single DRP can
be used as the DSDRSC, we recommend the use of a redundant DRP pair.

To create a DRP pair and
configure it as the DSDRSC, complete the instructions in
Creating SDRs.

DRPs cannot be used as the
DSC in the owner SDR. Only RPs can be used as the DSC in the owner SDR.

DRPs cannot be assigned as
the DSDRSC if an RP is present in the SDR. To assign a DRP as the DSDRSC, you
must first remove any RPs from the SDR configuration, and then add the DRP or
DRP pair as the primary node. After the DRP is assigned as the DSDRSC, the RPs
can be added to the SDR. For more information, see Related Topics.

Note

DRPs can also be used to provide additional processing capacity. For
additional information on DRPs, see
Cisco CRS-1 Carrier Routing System 16-Slot Line Card Chassis
System Description. For instructions on installing DRPs, see
Installing the Cisco CRS-1 Carrier Routing System 16-Slot Line
Card Chassis. For information on using DRPs for additional processing
capacity, see the
Process Placement on Cisco IOS XR Software module
in Cisco IOS XR System Management Configuration Guide for the
Cisco CRS Router.

Using an RP Pair as the DSDRSC

RP pairs can also be
used as the DSDRSC in non-owner SDRs.

Single RPs cannot be used
as the DSDRSC.

Redundant RPs are
installed in slots RP0 and RP1 of each line card chassis.

Although an RP pair can be used as the DSDRSC in non-owner SDRs, we
recommend the use of a redundant DRP pair.

Removing a DSDRSC Configuration

There are two ways to remove a DSDRSC from an SDR:

First remove all other
nodes from the SDR configuration, and then remove the DSDRSC node. You cannot
remove the DSDRSC node when other nodes are in the SDR configuration.

Remove the entire SDR.
Removing an SDR name deletes the SDR and moves all nodes back to the owner SDR
inventory.

Default Configuration for New Non-Owner SDRs

By default, the configuration of a new SDR is blank. The first
configuration step after creating an SDR is to log in to the new non-owner SDR
using admin plane authentication and create a username and password. You can
then log out of the SDR and log back in using the new username and password.

Note

When logged in to a non-owner SDR using admin plane authentication,
the admin configuration is displayed. However, admin plane authentication
should be only used to configure a username and password for the non-owner SDR.
To perform additional configuration tasks, log in with the username for the
non-owner SDR.

Default Software Profile for SDRs

When a new non-owner SDR is created, the nodes assigned to that SDR
are activated with the default software package profile. The default software profile is defined by the last install operation that did
not specify an SDR.

To view the default software profile, use the
showinstallactivesummary command in administration EXEC mode.
Any new nodes that are configured to become a part of an SDR will boot with the
default software profile listed in the output of this command.

High Availability Implications

Fault Isolation

Because the CPU and memory of an SDR are not shared with other SDRs, configuration problems that cause out-of-resources conditions in one SDR do not affect other SDRs.

Rebooting an SDR

Each non-owner SDR can be rebooted independently of the other SDRs in the system. If you reboot the owner SDR, however, then all non-owner SDRs in the system automatically reboot, because the non-owner SDRs rely on the owner SDR for basic chassis management functionality.

Note

The DSDRSC of the owner SDR is also the DSC of the entire system.

DSDRSC Redundancy

To achieve full redundancy, each SDR must be assigned two cards: one to
act as the primary DSDRSC and one RP or DRP to act as a standby DSDRSC.

We recommend the use of DRP pairs as DSDRSC for
all non-owner SDRs the system.

Cisco IOS XR Software Package Management

Software packages are added to the DSC of the system from administration
EXEC mode. Once added, a package can be activated for
all SDRs in the system or for a
specific SDR
. For detailed
instructions regarding software package management, see the
Upgrading and Managing Cisco IOS XR Software module of Cisco IOS XR System Management Configuration Guide for the
Cisco CRS Router.
See also the
Software Package Management Commands on the Cisco IOS XR
Software module of
Cisco IOS XR System Management Command Reference for the
Cisco CRS Router.

Note

SDR-specific activation is supported for specific packages and
upgrades, such as optional packages and SMUs. Packages that do not support
SDR-specific activation can only be activated for all SDRs in the system.

To access
install commands, you must be a member of the
root-system user group with access to the administration EXEC mode.

Most
showinstall commands can be used in the EXEC
mode of an SDR to view the details of the active packages for that SDR.

Single RPs are not supported for the DSDRSC. RPs must be
installed and configured in redundant pairs.

Admin plane events are
displayed only on the non-owner SDR.

Some admin plane debug
events are not displayed on the owner SDR. For example, a non-owner card cannot
send debug events to the DSC, which limits the debugging of administration
processes to the non-owner SDR.

How to Configure Secure Domain Routers

To create an SDR, configure an SDR name and then add nodes to the configuration. At least one node in each SDR must be explicitly configured as the DSDRSC. After the SDR is created, you can add or remove additional nodes and create a username and password for the SDR.

Creating SDRs

To create a non-owner SDR, create an SDR name, add a DSDRSC, and then
add additional nodes to the configuration. After the SDR is created, you can
create a username and password for the SDR to allow additional configuration.

Note

The Cisco CRS-1 supports a maximum of eight SDRs, including one
owner SDR and up to seven non-owner SDRs.

The 4-slot line card chassis does not support the creation of multiple SDRs.

Before You Begin

The procedures in this section can be performed only on a router that
is already running Cisco IOS XR software.
For instructions to boot a router and perform the initial configuration, see
Cisco IOS XR Getting Started Guide for the Cisco CRS
Router.
When a router is booted, the owner SDR is automatically created, and cannot be
removed. This also includes instructions to create the owner SDR username and
password.

Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.

Removing an SDR

This section provides instructions to remove a secure domain router
from your router. To remove an SDR, you can either remove all the nodes in the
SDR individually or remove the SDR name. This section contains instructions to
remove the SDR name and return all nodes to the owner SDR inventory.

Note

The owner SDR cannot be removed. Only non-owner SDRs can be removed.

SUMMARY STEPS

1.admin

2.configure

3.no sdrsdr-name

4.commit

DETAILED STEPS

Command or Action

Purpose

Step 1

admin

Example:

RP/0/RP0/CPU0:router# admin

Enters
administration EXEC mode.

Step 2

configure

Example:

RP/0/RP0/CPU0:router(admin)# configure

Enters
administration configuration mode.

Step 3

no sdrsdr-name

Example:

RP/0/RP0/CPU0:router(admin-config)# no sdr rname

Removes the specified SDR from the current owner SDR.

Note

All slots belonging to that SDR return to the owner SDR
inventory.

Step 4

commit

Configuring a Username and Password for a Non-Owner SDR

After you create an SDR, you can create a username and password on
that SDR. When you assign root-lr privileges to that username, the user can
administer the non-owner SDR and create additional users if necessary.

The local keyword specifies a method list that uses the local
username database method for authentication. The local authentication cannot
fail because the system always ensures that at least one user is present in the
local database, and a rollover cannot happen beyond the local method.

Note

You can also use other methods to enable AAA system accounting,
such as TACACS+ or RADIUS servers. See the Configuring AAA Services on the Cisco IOS XR
Software module of Cisco IOS XR System Security Configuration Guide for the
Cisco CRS Router for more
information.

Note

When logged in to a non-owner SDR using admin plane
authentication, the admin configuration is displayed. However, admin plane
authentication should only be used to configure a username and password for the
non-owner SDR. To perform additional configuration tasks, log in with the
username for the non-owner SDR, as described in the following steps.

Step 5

commit

Step 6

Connect a terminal to the console port of the non-owner SDR
DSDRSC.

Note

A terminal server connection is required for Telnet connections
to the console port because an IP address has not yet been assigned to the
management Ethernet port.

Step 7

Log in to the non-owner SDR using admin plane authentication.

Example:

Username:xxxx@admin
Password:pppp

Logs a root-system user into the SDR using admin plane
authentication.

Note

When prompted for the Username, use your username followed by
@admin.

Step 8

configure

Step 9

usernameusername

Example:

RP/0/RP0/CPU0:router(config)# username user1

Defines an SDR username and enters username configuration mode.

The
username argument can be only one word. Spaces and
quotation marks are not allowed.

Step 10

secretpassword

Example:

RP/0/RP0/CPU0:router(config-un)# secret 5 XXXX

Defines a password for the user.

Step 11

grouproot-lr

Example:

RP/0/RP0/CPU0:router(config-un)# group root-lr

Adds the user to the predefined root-lr group.

Note

Only users with root-system authority or root-lr authority may
use this option.

Step 12

commit

Step 13

exit

Example:

RP/0/RP0/CPU0:router# exit

Closes the active terminal session and log off the router.

Step 14

Log back in with the SDR administrator username and password you
created.

Example:

Press RETURN to get started.
Username:xxxx
Password:ppppp

Logs back in with the SDR administrator username and password you
created. This username is used to configure the secure domain router and create
other users with fewer privileges.

RFCs

RFCs

Title

No new or modified RFCs are supported by this feature, and
support for existing RFCs has not been modified by this feature.

—

Technical Assistance

Description

Link

The Cisco Technical Support website contains thousands of
pages of searchable technical content, including links to products,
technologies, solutions, technical tips, and tools. Registered Cisco.com users
can log in from this page to access even more content.